Lookey here picoCTF 2022 Solution

Published: July 20, 2023

Description

Attackers hid the flag in a huge text dump. Download the file and grep for picoCTF to recover it.

Use grep to search for pico inside the file - eyeball one line first to see the structure.

Pull just the flag token with grep -o, which prints only the matching part of each line.

bash
grep pico anthem.flag.txt | head -1
bash
grep -o 'picoCTF{[^}]*}' anthem.flag.txt

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Search with grep
    Observation
    I noticed the challenge description explicitly said the flag was hidden inside a huge text dump and told us to use grep, which suggested that searching the file by pattern rather than reading it manually was the intended approach.
    Run grep pico anthem.flag.txt | head -1 first to see the line structure before trying to extract just the token. Knowing the surrounding text decides whether you reach for cut, a sed substitution, or the simpler grep -o 'picoCTF{[^}]*}'.
    What didn't work first

    Tried: Opening anthem.flag.txt in a text editor and manually scrolling through it to find the flag.

    The file is intentionally large - a huge text dump as the challenge description warns - so scrolling is impractical and error-prone. grep scans every line in milliseconds and highlights the match, making it the correct tool here.

    Tried: Running grep 'picoCTF' anthem.flag.txt with capital letters and hoping it prints just the flag.

    This works for finding the matching line, but it prints the entire surrounding line of text rather than just the flag token. You still need a second step to isolate the flag portion, which is why piping through head -1 first helps you understand the line structure before automating extraction.

    Learn more

    grep (Global Regular Expression Print) scans files line by line and prints any line matching a given pattern. It is highly optimized - grep on a modern system can scan gigabytes per second - making it far faster than manually scrolling through a large file or opening it in a text editor.

    Because grep uses regular expressions by default, you can search for patterns rather than literal strings. For example, grep -E 'picoCTF\{[A-Za-z0-9_]+\}' would match any properly formatted flag. For this challenge, the simple literal pico is sufficient and avoids the need to escape special characters.

    grep is one of the most-used tools in a security analyst's daily workflow: searching log files for IP addresses or error messages, hunting through code for dangerous function calls, and extracting patterns from large data dumps are all common use cases. Learning its flags (-i for case-insensitive, -r for recursive, -n for line numbers, -o for printing only the match) multiplies its utility significantly.

    For very large files - gigabyte-scale log dumps that might appear in forensics challenges - grep remains highly efficient because it reads line by line without loading the whole file into memory. If you need even faster searching on enormous datasets, ripgrep (rg) is a modern alternative that uses parallel threads and SIMD instructions to significantly outperform grep on multi-core systems.

    Context flags are useful when you find a match but need to understand surrounding content: -A 3 shows three lines after the match, -B 3 shows three before, and -C 3 shows three on each side. This is especially valuable in log analysis where the important information (e.g., an IP address or session ID) appears on the line before or after the keyword you searched for.

  2. Step 2
    Clean the output
    Observation
    I noticed that a plain grep on the file returns the entire surrounding line rather than just the flag token, which suggested using grep -o with a pattern anchored to the picoCTF{...} format to extract only the matching portion without manual trimming.
    Use grep -o 'picoCTF{[^}]*}' anthem.flag.txt for a single-shot extract that doesn't depend on column positions. The sed-and-cut pipeline below stays around as a fallback when the surrounding line shape is reliable.
    What didn't work first

    Tried: Copying the whole matched line from the grep output and manually trimming away everything before and after the flag token.

    This works for a one-time extraction but is tedious and prone to accidentally including extra whitespace or characters. The grep -o flag does this automatically - it prints only the substring that matched the pattern, giving you a clean flag with no manual trimming needed.

    Tried: Using cut -d ' ' -f7 without first checking which field position the flag token falls on.

    The field number depends on the exact structure of the matched line. If the line has a different number of space-separated tokens than expected, cut silently returns the wrong field or nothing at all. Always inspect the raw grep output first with | head -1 to count the fields, or use grep -o to skip field-counting entirely.

    Learn more

    sed -e 's/^ *//' is a regular expression substitution that removes leading whitespace: ^ anchors to the start of the line, * matches zero or more spaces, and the replacement is empty (deleted). This is a common cleanup step when text fields have inconsistent indentation.

    cut -d ' ' -f7 then selects the seventh space-delimited field, which is where the flag token falls in this particular line. The exact field number depends on the structure of the matched line - you would determine it by inspecting the raw grep output first. Alternatively, grep -o 'picoCTF{[^}]*}' uses the -o flag to print only the matching portion, which is often cleaner than field-counting.

    sed's substitution syntax (s/pattern/replacement/flags) is extremely versatile. The g flag replaces all occurrences on a line; the I flag (GNU sed) makes it case-insensitive. For multi-line transformations or more complex logic, awk is more appropriate - it processes each line as a record with fields, making it natural for structured output like log files and CSV data.

    In CTF forensics, "needle in a haystack" challenges like this one simulate realistic incident response work: a defender receives a massive log file or network capture and must locate the one line containing a malicious payload, exfiltrated secret, or attacker communication. Developing fast, reliable search patterns for common formats (IP addresses, Base64 strings, hex sequences, flag formats) directly translates to real-world blue team skills. The full grep/awk/sed/jq toolkit is collected in Linux CLI for CTF.

Interactive tools
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{gr3p_15_@w3s0m3_2116...}

Classic grep exercise-useful reminder to search rather than scroll.

Key takeaway

Pattern matching with regular expressions is faster and more precise than manual inspection of large text corpora, because the tool scans every byte without fatigue or distraction. Knowing a fixed prefix of the target string (like a flag format or an IP address range) turns an exhaustive search into a one-liner. The same skill directly applies to incident response log triage, malware IOC hunting, source-code secret scanning, and network capture analysis, where the relevant needle may appear once in millions of lines.

Related reading

Want more picoCTF 2022 writeups?

Tools used in this challenge

What to try next